June sees minor changes in the top positions compared to the previous month: Virus.Win32.Neshta.a and Trojan.Win32.Jpgiframe families which appeared in the Top 20 malicious programs in March continue to appear in the current Top 20. Several new families entered the Top 20 in June.

Trojan-Clicker.HTML.Iframe is designed to increase site visitor statistics. The Trojan programs themselves are contained in fake HTML pages with encrypted links to the sites being promoted. When users unknowingly surf to an infected page, unsolicited connections are made to certain URLs, fraudulently generating revenue for the attacker.

MSIL.Backdoor.Agent. Backdoors give an attacker remote unauthorized access to the infected system. This backdoor is written in .Net. Thus, computers with .NET Framework installed are infected.

INF.Autorun. INF files are used by Microsoft Windows to automatically run or install applications. An attacker stores inf files in the root directory of the logical, portable and network drives together with the worm’s executive files. This activates the worm each time a user opens the infected disk using Windows Explorer.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

A new generic detect Trojan.Win32.Generic.pak!cobra has entered the Top 20. The top positions are still occupied by viruses and generic detects as the majority of signatures belong to these categories. Let’s consider some of them.

Virus.Win32.Xpaj.A infects x86 pe-exe and pe-dll files. In addition, the virus contains backdoor and bootkit-like behavior. It uses a special technique to counteract antivirus applications. The virus installs system notifiers to create processes using the PsCreateProcessNorifyRoutine functions. Thus, the antivirus is blocked. Once the process runs on the system, the virus calculates checksum of the process name and compares it with its internal checksum list. If the checksum of the name coincides with the list inside of the virus body, it inserts a code to the Entry Point which ends the process.

To hide a bootkit and its data in the last sections of the drive, the virus intercepts the NTReadFile and NTWriteFile functions.

Diagnosing the system for the installed interceptors and MBR infection using the Gmer anti-rootkit

Trojan.Win32.Carberp (Trojan.Win32.Generic.pak!cobra) is used by an attacker to steal confidential data from trade and online banking platforms. The latest versions of the Trojan contain bootkit-like features. The Trojan supports a plugin system. Plugins are used to counteract antivirus products, rival’s botnets, to perform DdoS attacks and steal confidential data. Below is an example of how the bankbot is sold on blackhat forums:

Offer for Multifunctional Carberp Bankbot

According to the latest news from ESET, all botnet creators have been arrested.

Backdoor.Win32.Shiz (Trojan.Win32.Generic!BT) has a wide range of features. A peculiarity of this malicious program lies in counteracting antivirus detections using server-side polymorphism. A polymorphic mutator engine is installed on the attacker’s server and updates itself periodically:

Comparison of two modifications of Backdoor.Win32.Shiz

Worm.LNK.Autorun.bqj uses vulnerability in Lnk-files. Attackers continue to exploit a vulnerability discovered in June 2010 when investigating Stuxnet. In spite of MS10-046 updates issued by Microsoft which closes the vulnerability, LNK files which exploit this vulnerability increase in number:

Received LNK samples

Top20 Potentially Unwanted Programs

Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position

Ad-Aware detection

% of all threats

1

MyWebSearch

30.99%

+0.09%

2

Win32.Toolbar.Iminent

16.52%

-2.96%

3

SweetIM

12.53%

+5.39%

4

Win32.PUP.Bandoo

10.69%

-3.22%

5

Win32.Toolbar.SearchQU

3.07%

+1.19%

6

Win32.Toolbar.Mediabar

2.69%

-0.79%

7

Win32.PUP.Predictad

2.16%

-1.66%

8

GamePlayLabs

1.60%

+0.72%

9

Win32.Adware.Agent

1.47%

+0.19%

10

Win32.Adware.ShopAtHome

1.46%

-1,46%

11

Yontoo

1.12%

+0.64%

12

Click run software

1.04%

new

13

RelevantKnowledge

0.96%

-0.08%

14

Win32.Adware.Offerbox

0.82%

-0.34

15

Adware.Eorezo.a

0.41%

+0.06%

16

GameVance

0.39%

+0.07%

17

Zango

0.22%

-0.65%

18

Possible Browser Hijack attempt

0.19%

-0.02%

19

Win32.Adware.Altnet.GEN

0.17%

-0.11%

20

Hotbar

0.07%

-0.08%

Top20 PUPs detected on user’s PC

OperatingSystems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.